Remote security with Red Hat Enterprise Linux Giuseppe “Gippa” Paternò Red Hat - Solution Architect & EMEA Security Prod. Expert Visiting Researcher – Trinity College Dublin [email protected] [email protected]
May 13, 2015
Remote security withRed Hat Enterprise Linux
Giuseppe “Gippa” Paternò
Red Hat - Solution Architect & EMEA Security Prod. ExpertVisiting Researcher – Trinity College Dublin
[email protected]@cs.tcd.ie
Who am I
Currently Solution Architect and EMEA Security Expert in Red Hat
Visiting Researcher at Trinity College Dublin Previously Security Solution Architect in Sun and also in
IBM Red Hat Certified Security Specialist (RHCSS), RH
Architect (RHCA) and Cisco Certified Network Professinal (CCNP)
Part of the italian security community sikurezza.org Forensic analisys for local govs More on:
● http://www.gpaterno.com/● http://www.scss.tcd.ie/Giuseppe.Paterno/● http://www.linkedin.com/in/gpaterno
Agenda The “Defense in Depth” philosophy
Advantages of OSS on Security
Statistics about Linux vulnerabilities
Security of the Operating System● Hardening, minimization and how Linux is positioned● Kernel security and other features● The importance of patching● MAC systems: SeLinux
Authentication and authorization● Smart Cards and Biometric authentication● Intergration with Linux and with applications● Authorization and profiling, i.e. assigning roles
Application protection● Be aware of the “default” installation● Use of the application-layer firewalls
“ The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even
then I have my doubts. ”
Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security.
The “Defense in Depth” philosophy
Any system, configuration, application and even software development have to be thought in a secure way
It uses several security layers to secure systems and data.● Use of multiple computer security techniques to help
mitigate the risk of a one defence being compromised or circumvented
● Ex: using antivirus on both workstations and file/mail servers
This concept should be applied in every systems, expecially on those that hold sensible data or whenever security is highly required
The “Defense in Depth” philosophy
This translate in:● Secure the OS● Secure access to the network● Use a common/central authentication and authorization● Secure the applications● Think and develop applications in a secure way
Red Hat Enterprise Linux is the only OS that respect the “Defense in Depth” philosophy
Advantages of OSS on Security
Open Source means that the code is publically available A great number of people (the community) can evaluate
the code of the project and:● Find memory leaks in the code (programming error)● Find a poorly secure algorithm/protocol (design error)● Have a peer review (from expert people)
As a result we will (and a given vendor will):● Have the best code and algorithm● Have a quick fix for the problem (even in day 0)
● Most of the “white-hats” produces both an exploit and a patch for the program
Most of the projects reuses standard algorithm/code (libraries), thus eliminating common problems.
Linux (RHEL) default install vulnerabilities:
Critical 1%
Important 44%
Moderate 32%
Low 23%
0 20 40 60 80 100 120 140 160 180
3
160
117
82
Number of vulnerabilities
Security of the OS: hardening/minimization Out of the box, nearly all operating systems are
configured insecurely. Hardening is minimizing a computer's exposure to current and future threats.
How it works:● Remove unecessary users/groups● Disable unused services● Configure securely all used applications● Configure the strongest authentication possible● Use and configure firewalls/IDS/IPS/MAC Systems...
Fewer software components on a server means fewer security holes to detect and fill
Minimizing the number of OS modules installed on a server can greatly improve overall system security by reducing the number of vulnerabilities.
Security of the OS: how is Linux
Mostly Linux distribution are hardened and secured by default (at least RHEL and Fedora are ;)● Only SSH opened and other services in loopback only● No unsecure/unencrypted services (telnet/ftp/r*)● Firewall and Mandatory Access Control (MAC) systems
enabled by default● All unnecessary users/groups set to nologin● Default packages set to minimum (minimization)
● The admin installs only what is strictly necessary to run the server
● Minimal systems are usually supported!!
Security of the OS: kernel Buffer overflow:
● It injects an arbitrary code (usually a shell) in the program's data area and execute it
● Attackers gain access and privileges of the exploited program
How to prevent:● No-Execute and Exec-shield technology
● Software emulation of the no execute of the data area
● Flag data memory as non-executable and program memory as non-writeable
● PIE (Position Independent Executable)● Randomization of the application address
in the stack
Security of the OS: other features
Restricted Memory Access● Restricts how the kernel memory (/dev/mem) can be overwritten. This
prevents several rootkits from functioning resulting in a safer and more secure system.
Kernel signature (ksign)● Signature of kernel modules, to allow only certains gpg signed kernel
modules to be loadeed
● Avoid rootkits than hide themselves
Secure application compile (FORTIFY_SOURCE and Stack-Smashing protector)● "FORTIFY_SOURCE" is a gcc option that detect and prevent a subset of the
buffer overflows before they can do damage (unchecked buffer size)
ELF (Executable and Linkable Format) Data Hardening RPM Signing
● Each package/application is signed from the vendor so that any change is tracked (same effect as tripwire)
Security in the OS: MAC and SELinux
Mandatory Access Control (MAC) is a kind of access control defined by the Trusted Computer System Evaluation Criteria● “[...] restricting access to objects based on the sensitivity
of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". (from Wikipedia)
The most used MAC system in Linux is Security Enhanced Linux (SE Linux)● Developed initially by NSA (National Security Agency)● Several contributors, such as Red Hat, Tresys, IBM, ....● Certified Common Criteria (EaL4+) and used by military
● When used in “stricted” mode is even more secure● Based on policies that confine user programs and system
services to the minimum amount of privilege they require to do their jobs
SE-Linux: overview
By default, anything not explicitly permitted is denied
Rules are called “policies” Two pre-defined policies in RHEL/Fedora, i.e.:
● targeted: only common daemons are confined (typically only the one started from init.d/*), leaving “unconfined” the others
● strict: any process within the system is confined RHEL is in “targeted” mode by default, while fedora in
“strict”: daemons with remote access (apache, mysql, ...) are protected by the SE-Linux “shield”
SE-Linux Security Context
All files and processes have a security context The context has several elements, example:
user:role:type:sensitivity:category User: root OR user_u (Processes: system_u) Role: Files -> object_r ; Processes -> system_r Type: Used by Type Enforcement to specify the nature of the
data$ ps -ZC bash,sshd
LABEL PID TTY TIME CMD
system_u:system_r:sshd_t:s0-s0:c0.c1023 1709 ? 00:00:00 sshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32019 pts/0 00:00:00 bash
SE Linux: an italian success
We are protecting the italian government employees' payslips and tax declaration
(around 4M users)
Security in the OS: patching
PATCHING IS IMPORTANT!!!
Always keep up-to-date the system's security patches It is important a management system that is able to apply
all the patch seamless and avoid human errors● After buffer overflows and “zero day”, the major
security concerns are about human error on configuration files
That is:● Applying automatically patch and rollback if necessary● Compare software between machines (ex: cluster)● Use a standard, proven, configuration file for common
services (ssh, authentication, ....) and distribute it● An example is Red Hat Network Satellite
Authentication and authorization
Just to be clear on terms:● Authentication is proving who you claim to be (who you
are)● Deals with identifying the users● Can be:
● Username/Password (and variants such as kerberos)● One Time Passwords (OTP)● Two Factor (key based: Smart Cards/Biometric)
● Authorization is giving permission to users (what you can do). Sometimes referred as “profiling”.● After the authentication phase, the user is profiled● The application (ex: login shell, web application, ...) will
give appropriate rights based upon certain parameters● Parameters usually stored in LDAP, but also in databases
Strong authentication: Smart Cards/Biometric/OTP Autentication usually based on username and password
● Passwords can easily eavesdropped● Kerberos and cryptography helps on protecting passwords
but ...● ... don't prevent users to give away they're passwords or
copying it (keyloggers, post-it, social engineering, ...)
The best way is the famous “something you have” and “something you know”● Smart Cards and biometric autentications cover “something
you have”● PINs or pass-phrases are usually “something you know”● The only way is stealing the smart card (and is not possible for
biometric apart kidnapping ;)● Smart Cards hold private keys of a PKI infrastructure (and PIN
or fingerprints unlock the keyring)● It can be revoked at any time
Authorization and Profiling (roles)
Every user should be granted the least privileges to do the job
Profiles and roles should be stored on a central repository● Advantage is that authorization is cross to all
systems/applications● Usually are stored in LDAP
● OpenLDAP and Fedora Directory Server (RHDS) are the most famous in the OSS world
Each application should be designed to use profiling● Java applications should use the JAAS APIs● PHP/C/C++/Python should perform look-ups in LDAP directly
Examples (in infrastructure software)● Apache with mod_authz_ldap● AllowUsers in SSH● Sudo with LDAP
Application Security
Each application should be configured securely!!!● This statement can't be stressed enough● Most of the “default installations” are opened● Hardening should involve the whole platform, not only the
OS● Configuration depends on the application itself
● Well-known for “infrastructure” software such as Jboss● Contact your vendor or the OSS mailing lists for more
information
Application Security
Use application-layer firewalls● In the “Defense in Depth” philosophy give the edge
protection layer● Everything incapsulated on port 80/443 (and 25) !!!● The most valuable example in OSS is ModSecurity
● Web Application Firewall● Real-Time Monitoring and Attack Detection● Attack Prevention and Just-in-time Patching
● Other examples: spamassassin, clamav, squid + dansguard, SIP Express Router (SER), .....
Questions?
Thank you!
Giuseppe “Gippa” Paternò
Red Hat - Solution Architect & EMEA Security Prod. ExpertVisiting Researcher – Trinity College Dublin
[email protected]@cs.tcd.ie